Apple Addresses Zero-Day Exploits for Multiple Products - 20230908003

Overview

Apple has released security updates to address vulnerabilities in multiple products. Apple reports that a maliciously crafted attachment may result in arbitrary code execution.

Apple is aware of a report that this issue may have been actively exploited.

What is the vulnerability?

• CVE-2023-41061 - CVSS v3 Base Score Pending: A validation issue that can be exploited using a malicious attachment to also gain arbitrary code execution on targeted devices.
• CVE-2023-41064 - CVSS v3 Base Score Pending: A buffer overflow weakness gets triggered when processing maliciously crafted images, and it can lead to arbitrary code execution on unpatched devices.

What is vulnerable?

The vulnerabilities exist in the following products:

• macOS Ventura versions before 13.5.2
  • macOS Ventura
• iOS and iPadOS versions before 16.6.1
  • iPhone 8 and later
  • iPad Pro (all models)
  • iPad Air 3rd generation and later
  • iPad 5th generation and later
  • iPad mini 5th generation and later
• watchOS versions before 9.6.2
  • Apple Watch Series 4 and later

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of two weeks... (refer Patch Management):

• macOS Ventura 13.5.2: https://support.apple.com/en-gb/HT213906
• iOS and iPadOS 16.6.1: https://support.apple.com/en-gb/HT213905
• watchOS 9.6.2: https://support.apple.com/en-gb/HT213907